Thursday, 28 March 2013

On Friday I presented a webinar, on scenario-based
exercising, as part of the Business Continuity Institute's Business Continuity
Awareness Week 2013. And I have to tell you, it was one of the most nerve-wracking
things I've done for a long time.

Which is a bit bizarre, really, as I do presentations all
the time, to audiences of various sizes (that's numbers of people, as opposed
to body mass). I'll admit that there are often a few butterflies just before
the start, but nothing particularly serious.

The difference with this one was the strangeness of it all.
I was effectively presenting to an empty room and it felt like I was talking to
myself - into my 'phone but with no-one on the other end. Except I wasn't,
because there was quite a decent sized audience out there, somewhere. All I
knew was that there were 76 of them. I only knew that because there was a
little green "76" on my computer screen. I didn't know who they were,
what they looked like, where they were, why they were listening or what they
were expecting.

The strangest thing was the absence of any feedback (aside
from the online polls I did in an attempt to discover some small snippet of
information about the audience). I didn't have the faintest idea whether people
were nodding in agreement, smiling, shaking their heads, falling asleep, going
off to make a cup of tea or checking their e-mails (heaven forbid). All I could
see was that little green number telling me that 76 people were at least still
logged in and all I could hear was a deafening silence on the other end of the
line. It was very disconcerting for someone who likes to see the whites
of his audience's eyes.

It didn't help that, having logged in, as instructed, well
in advance of the start time, the webinar system then insisted on telling me,
every minute, via one of those awful "press one to be ignored for a bit
longer" recorded voices, how long was left until show time, followed by a
final countdown that did nothing to ease my pre-match nerves.

Then there was the system itself. I'd had a trial run -
which was just as well really as when I tried it with a headset the sound
quality was awful and I had to revert to the 'phone's handset. Which meant I
couldn't move further than the length of its cable, and that severely curtailed
my usual habit of going for a bit of a wander when I'm presenting. And some of
the system's features weren't available on the test site so I was learning as I
went along on the day. All in all I found it just a teeny bit unnerving. I was
out of my comfort zone, I suppose.

I ended up standing up for most of the session, adopting a
sort of 1960s horror film manservant hunch over my computer screen and mouse,
along with a sort of side-to-side shamble. So it's just as well my audience
couldn’t see me either. But, after a bit of a wobbly start, I got my act
together, my nerves settled and I got on with the job in hand. In the end I
received a pretty decent score, along with some very complimentary comments, so
it can't have been that bad - it just felt like it to me at the time.

Afterwards I couldn't help thinking that there were some
parallels with exercising and testing our business continuity capability, which
was the topic of the webinar.

Monday, 25 March 2013

In the BCI’s report Horizon Scan 2013, one of the key trends
of concern identified by Business Continuity professionals was “increasing
supply chain complexity”. So on Tuesday 19th March, the BCI
and the Chartered Institute of Purchasing & Supply (CIPS) convened a
roundtable of senior supply chain, risk and business continuity practitioners
from sectors as diverse as retail, manufacturing, energy, housing, construction
and telecommunications to share experiences and discuss how they were dealing
with the challenge.

If folk were hoping that complexity is something that will
stop or slowly unwind, then they would not have got much comfort from the
discussion.

﻿

BCAW Roundtable Discussion 2013

Perhaps, the most important driver of complexity is the
customer and the desire of businesses to develop the right supply chain to meet
the needs of the customer. For example, the supply chain required to be
able to sell a product as “made in Italy” sets its own restrictions and risks
that need to be managed.

Many of the drivers of complexity have come about through
conscious business decisions. A number of organisations had decided to
consolidate their tier one suppliers – while this simplifies the number of
interfaces at tier one, what is has done has created many more tiers below the
immediate supplier, reducing visibility. Participants noted that they
were now experiencing disruption originating at tiers five and even six!

Another issue raised by a number of people was around the
illusion of diversity that dual-sourcing can bring. While many had
introduced dual-sourcing in terms of immediate suppliers, some had found to
their cost that at tier two or three they were reliant on a single supplier
again. This point opened up a wider discussion about how difficult it was
to understand interdependencies between suppliers and that the term supply
chain should perhaps be replaced by ‘supply chain networks’.

Some sectors were suffering from lack of communication
around changes in their extended supply chain. More than one participant
commented that their suppliers would change the location of production or the
people providing a service without informing them, so organisations would be
caught out in finding that an event, for example industrial action, in one
country affected them, even though they didn’t think they had any exposure to
the event.

Representatives from the public sector provided an
interesting contrast to their colleagues in the private sector. Their
driver of complexity was government policy which was requiring not supplier
consolidation but increasing their spend with small and medium sized
businesses, while this was sometimes managed through a large tier one supplier,
there was a need to monitor the success of this policy and provide extensive
training and development support for small businesses to work with government
entities.

The consequences of redrawing the boundaries of
organisations over many years through outsourcing were also flagged as creating
challenges in that the suppliers often had more knowledge and expertise than
the client. Some felt that too much intellectual power had been outsourced and
one organisation stated that they were now bringing back in-house some of the
higher skilled activities.

In concluding this part of the roundtable discussion, it’s
much clearer why complexity is such a taxing trend for Business Continuity
professionals and why it is so important to find an approach to manage it
effectively.

In Part 2 of this roundtable report, we’ll look at some of
the techniques that are being used to manage complexity.

We are all familiar with the expression “practice makes
perfect” and never has a truer word been spoken.Practising is all about rehearsing again and
again until you have mastered the role you’ve been assigned; but, it is also
about improving your behaviour.

Today’s BCAW 2013 webinar of my choice was the one on exercising, or
rather scenario-based exercising, which was presented by Andy Osborne MBCI,
Associate Consultant at Clearview-Continuity.

The first question
Andy raised was, why bother with exercises?

Well, the short answer is that it takes a lot of time,
effort, resources and money to write a Business Continuity Plan (BCP) and if
you want to see a return on this investment, you need to make sure it
works.Simply having a BCP in place will
not save your business; what will save it is having the right people with the
right capability to deliver that plan, and the only way to develop that
capability is through practising or as Business Continuity professionals prefer
to say, through exercising.

So should a BCP be
based on particular scenarios?

Well according to Andy, “scenario-based plans are a waste of
time”.What Andy was essentially saying
with this somewhat controversial statement (at least at first glance) is that there is no way that we can think of
every possible scenario nor can we plan for every conceivable type of incident
that we may be faced with at some point in the future.More often than not, old Murphy’s Law will
kick in and you will find yourself either faced with the one scenario you
hadn’t thought of or the scenario you had in your head pans out quite
differently in reality.What is critical
here is not to plan for every
scenario, but to plan for any
scenario and the way you do this is to build the capability within your
organization to respond to any incident by getting the people involved to
rehearse again and again until they know their lines off by heart (speaking in
theatrical terms of course)!

What about scenario-based
exercises?

Scenario-based exercises, on the other hand are not a waste
of time but can be very valuable in terms of emphasising issues that no one had
thought of; highlighting your strengths and your weaknesses (remember, you are
only as strong as the weakest link); clarifying responsibilities; testing your
communications and ultimately, helping you to improve and enhance your response
capability.

Which scenarios
should you select?

It doesn’t really matter what type of scenario you select,
but what it does need to be is credible, engaging and realistic and it needs to
meet and reflect your objectives and the key issues you are hoping to address
through the exercise.So when planning
an exercise, don’t start the process by trying to think of some great
theatrical spectacular, focus in the first instance on your objectives and
issues.You can make up the most
exciting, mind-blowingly creative and fictitious incident, but if it doesn’t
meet your objectives then it will have little value and will really be a
complete waste of time!

When it comes to facilitation of a scenario-based exercise,
there are many approaches that can be taken.It could be as simple as a desk-top exercise where you gather everyone
around the table to talk them through the plan or even walk them through it; or
it could be a bigger event involving role play and fake journalists, doctored
photos and staged radio broadcasts.

The key observation made by Andy based on his extensive
experience in the field, is that what you do will and should be decided by the
people you need to involve inasmuch as some people will feel comfortable with
role play; others will feel totally out of their comfort zone; some will react
well and others badly.You need to
understand the composition of your Incident Management Team, the intricacies of
their personalities as well as having (if possible) some insight into past
history and previous experiences and traumas so that you can at least make some
kind of pre-judgement as to how they might react to certain scenarios and
whether they are the right men or women for the job.

You also need to
consider whether they can work well together as a team and whether indeed they
know each other well enough to perform effectively as a unit, after all, you
are only as good as the sum of your parts.

Both approaches of course have their value.If you decide for the role play (which does
not involve dressing up in fancy costume), you can make this as realistic as
you like, just be sure to be aware of the fact that different people will react
in different ways.Certainly, if you
wish to include a death of a colleague in your scenario, it is wise not to use
real people’s names but safer to stick to a fictitious name instead; using real
names can have terrible emotional consequences for some of the players on your
stage. How realistic you can make it,
will of course depend on how realistic you can afford to make it, but the sky
really is the limit here.You can
involve multiple teams and use multiple locations in your scenario; there is no
right or wrong.Andy did, however,
strongly advise anyone planning to use multiple teams to first carefully
consider which teams to involve at what point otherwise you will have people
involved with nothing to do for long periods of time, which destroys the ‘engaging’
element of your scenario and will result in loss of interest and loss of
ownership and ultimately spell out a miserable failure.

So how do you get the
most out of your exercising?Here Andy’s
top tips:

Plan and prepare for your exercise properly

Think about the management and the coordination of
the exercise

Use experienced facilitators

Develop an exercise plan and schedule

Ensure you have clear objectives and measurable
success criteria

Brief all participants including the
facilitators in advance as well as you can or should

Have some independent observers on the side line
as they can provide excellent, impartial feedback post-event

Create and use post exercise critique forms and
log books to capture key information and observations

Write a report and follow up on the report’s
recommendations as part of your lessons learned (after all exercising is also
about improving your capability)

Finally de-brief everyone who was involved and
make sure all loose ends are firmly tied up

At this point, Andy reminded us of the 5 Ps (or 6 Ps used in
the army, but we won’t mention the sixth one here!): Proper Planning Prevents Poor Performance –
good planning breeds success; success breeds confidence, confidence in your
plan, in your team and ultimately in your organization to withstand any scenario!

The final question
that Andy put on the table was when to exercise?

The Business Continuity Management Lifecycle tells us to
exercise and test at the end of the process, but we could exercise during
strategy definition or maybe during the implementation process.In fact, Andy went one step further and made
the brave suggestion that maybe the Lifecycle should begin with exercising as
this is guaranteed to make people sit up in their seats and pay attention; it
will highlight the key issues; it will emphasise the importance of Business
Continuity and it could be key to getting buy-in especially at the top, which
as we know can be more than difficult!

This webinar certainly provided me with ample food for
thought and hopefully you have learned something too by reading this blog!

Friday, 22 March 2013

My topic of choice
for yesterday's webinar listen-into was the one on Cyber Threats and Cyber Security
by Brendan Byrne from IBM in which Brendan shared both IBM’s and other
organizations experiences from the dark world of cyber threat.

According to a recent IBM survey, the biggest threat
perceived by Business Continuity professionals is cyber-security.Some of the challenges faced include BYOD
(Bring Your Own Device) which is on the increase; the widespread use of social
media with its pros and cons; workforce mobility and the increasing use of
cloud-based solutions.

The landscape is changing for organizations all around the
globe.Big Data or Smarter Data
inevitably means more security considerations and the growing use of online
services is another cause for security concern.The boundaries are becoming blurred as we step up the use of the innovative
technology that is advancing our way.Supply Chain Security, as Brendan quite rightly said, is indeed only as
strong as the weakest link in the chain and the expanding use of data is
presenting more and more problems in terms of potential threats to an
organization.

According to the X-Force Research Team (just one of the jewels
in IBM’s crown) who is tasked with analysing the worldwide web on a daily
basis, scanning the horizon for new trends and new vulnerabilities, there are
over 40M spam and phishing attacks every month!Now that is a scary figure.KPMG’s Data Loss Barometer 2012 showed that hacking is the number one
cause of data loss and that data loss incidents have increased by 40% since
2011.There is evidence of new attack
activity as malware gets too clever for its boots.Some of the challenges faced are down to
things as apparently simple as passwords (or rather the common and widespread
use of the same password) and of course there is the challenge of BYOD and a
new concept, called APT (Advanced Persistent Threats).

One of the key messages that this webinar drove home, was
the importance of embedding cyber-security into an organization’s business
culture.It is not enough to develop a
policy and then file it away thinking that the job is done and a big fat tick
has been put in the box.With a
constantly changing landscape and new threat activity entering the “Cyber
Charts”, it is essential that organizations review, review and review again to
ensure that their policies and procedures meet the current and future security
needs of their business.

One of the key issues is that cyber threats are just getting
more and more sophisticated.Motives for
cyber-attacks range from simple curiosity, to revenge, right through to the big
stuff like espionage and political activism.The players or actors on the cyber stage are also becoming increasingly
more educated and organised.They scale
of actor type runs from the inadvertent actor, who may cause an incident
through ignorance or lack of training; to the opportunist that just grabs the
moment to do some damage; to the “hacktivist” (remember that is the number one
cause of data loss); right through to the top of the tree with the advanced
actor, that heads up some big scam.

According to IBM research, the top three IT risks that
damage a company’s brand (its greatest asset) and reputation (as perceived by
BC professionals) are:Data Breach;
Systems Failure and Data Loss in that order.

An interesting example of a botnet was put in the room as
such to demonstrate both its apparent innocence and its inherent danger.We can all very easily download a botnet.More often than not, this just sits
harmlessly on our computers until the organiser of said botnet decides to sell
this onto another organization, which in turns uses this to collate important
and personal data and there we have it – bring this data together into one
central location and you have a hacker’s dream and the so-called Money Mule
concept kicks or trots (does a donkey trot?) into action.So we see that the end users are also part of
an organization’s security landscape.

Brendan also expanded on the IBM approach to managing cyber
threats. The IBM approach consists of two elements – the first is the
“Pre-exploit”, which is all about prediction and prevention and the second is
the “Post-exploit” which is about reaction and remediation.Every organization needs to adopt this
approach.Every organization needs an
instant handling approach and every organization needs an intelligent view of
their security position.When working
with clients, IBM has discovered that most organizations think they have an
optimised approach; but reality tells another story with the majority only
having basic measures in place.Organizations need to aim to be proficient in order to be able to
proactively protect themselves from cyber-attacks.

Brendan listed the
essential practices as follows:

Build a risk awareness culture and management
system

Manage security incidents with greater
intelligence

Defend the mobile and social workplace and make
social media work for you and not against you

Have security-rich services by design and not as
an after-thought

Automate security hygiene

Control network access and help assure
resilience

Address the new complexity of cloud and
virtualisation

Manage third party security compliance

Better secure data and protect privacy

Manage people’s identity throughout the whole
security lifecycle

Brendan then talked
about the IT Trends for 2013, which he defined as follows:

Cloud security will move from hype to a mature
solution and will progress

Advances in BYOD mobile will increase and be
more secure than laptops by 2014

Compliance will be a big driver for 2013 with
organizations facing potential fines of 2% of their global annual turnover

Data explosion will increase

And in conclusion,
Brendan left us with the top threats for individuals to consider in 2013 and
these are:

Cyber Security

Supply Chain Security

Big Data

Data Security in the cloud

Consumerization

So yes, cyber-threats
are very real, but with the right approach to cyber-security they can be
managed!

Thursday, 21 March 2013

Once again your BC Eye tuned into yet another excellent webinar – just
one of the many free webinars that are being run as part of this year’s BCAW
activities to raise awareness around the value of Business Continuity.

This one discussed the rise (and not fall) of contingency planning
(widely used and known in the financial sector as the way to deal with threats)
and its continued rise to become an integral part of good Business Continuity
practice.

Lee talked about the specific role of the BC professional in Contingency
Planning, which he neatly defined as the individual who makes an action plan
actionable and the challenges a BC Manager faces as a non-financial
professional of being deemed capable of assuming responsibility for supporting
the development of a Contingency Plan.

The key thing this presentation drove home to me was that fact that
Contingency Planning, Continuity Capability and Crisis response should not be
dealt with in isolation but that they all support each other.Continuity Planning is all about the pre-plan
response for things that can be reasonably planned for; Contingency Planning is
all about dealing with specific threats or scenarios; and Crisis Response is
required when an event goes beyond reasonable planning and poses a high degree
of threat to the existence of an organization.Together they form, as Lee stated, “a three-line defence” mechanism,
which works!

Putting this concept into a context that we can all relate to, Lee took
us through a case study that demonstrated the successful application of the
3Cs, namely, Cheltenham Races, which are organised by the British Horseracing
Authority.

He explained that the Continuity Capability was in this instance about
‘keeping the show on the road’, which meant making sure the event could happen,
like for example identifying an alternative location for the same date (not
easy to change a race date).This
included the recognition of the fact that things can go wrong and that there
will inevitably be disruptions, after all, it is the winter race programme in
the UK that we are talking about here!Then he talked about the Contingency Planning element, which in this
case was essentially having plans at local level (i.e. for the racecourse
itself) in the event that it snowed, or there was a hard frost or security
issues.And finally he talked about the
Crisis Response, for the bigger things like injuries to the horses, cruelty to
animal campaigns that might damage the good reputation of the British
Horseracing Authority as well as our beloved (and I can say that as a Brit)
Cheltenham Races or cause a major disruption to the event.

The success of this wonderful example of the practical application of the
3 Cs was evidenced through an enhanced reputation and wide public recognition
according to the British Horseracing Association.There were lots of contributory factors
including good communications; making sure the needs of all the race
stakeholders were met; bending the rules a bit where necessary (or as Lee
referred to it, flexible policy); not having a fixed plan but having the
capability to deal with threats and incidents; as well as the continuity of
staff.

The next phase of this truly insightful webinar was about the application
of the 3 Cs to threats and risks or rather the question of how this could be
done.This is where the black swans of
this year’s BCAW 2013 theme appeared on the horizon.(Remember the mainbanner on the BCAW website?)Lee defined the
characteristics of these infamous black swans as: unexpected; more consequential than your white
swan (the ones you do see coming); relative in terms of knowledge (i.e. the
more knowledge, the less black the swan (!); and ones where we have a clear
understanding of what the consequences could be even if we don’t know what that
event will be exactly or how likely it is.

Here, Lee brought into play the famous “Known, Knowns” concept of
Donald Rumsfeld (2002) and linked them to the 3 Cs as follows:

Known Knowns i.e. things we know we know, which can be
dealt with using Contingency Planning;

Known Unknowns i.e. the things we know we don’t know, which
require us to build Continuity Capability;

Unknown Knowns i.e. the things we know about but don’t know
when they will happen, which if they do, will require a Crisis Response;

Unknown Unknowns i.e. the things we don’t know about nor do we
know when they will happen, which also fall under the remit of a Crisis
Response.

In conclusion, Lee brought us back to the opening topic of the webinar,
namely, Contingency Planning, which he concluded, is known, particularly in the
Financial Sector to work across strategic, financial and operational risks.What this webinar proved was that the 3 Cs
would work just as well and actually when we talk about Contingency Planning,
in essence, we are talking about the application of the 3 Cs; all we are doing
essentially is using different elements of the same structure.Which elements we ultimately use, will simply
depend on the level of our knowledge.

So Contingency Planning really is on the rise; on the rise to become an
integral part of Business Continuity and the application of the 3 Cs will help
us to build resilience.

Wednesday, 20 March 2013

Tuesday of Business Continuity Awareness Week saw the launch
of the Chartered Management Institute’s annual Business Continuity Management Survey which is supported by the BCI, the BSI and the UK’s Civil Contingencies
Secretariat. The setting for this year’s launch was the rather imposing setting
of the Grand Committee Room, House of Commons, Palace of Westminster and took
the form of a discussion around “Weathering the storm: is lack of business
continuity management holding back the UK economy?” Member of Parliament, Barry
Sheerman, Chair of the All-Party Parliamentary Group on Management hosted the
event.

BCI members, Martin Caddick MBCI, Rob McAssey AMBCI and
Néstor Alfonzo Santamaria AMBCI formed the majority of the panel which was
chaired by CEO of the CMI, Anne Francke.

The CMI’s annual survey, now in its 14th year, is
markedly different from other business continuity surveys in that the
respondents are not business continuity practitioners but more general managers
who look at disruption, and potential disruption, giving a different
perspective. Research purists may argue that the methodology underpinning the
survey – that of a self-selecting group of 637 individuals from a sample of
25,000 – is not robust but the longevity of the survey and the benchmark it
provides cannot be disputed.

As was highlighted in the theme for the evening’s
discussion, the extreme weather experienced in the UK over the past 3 winters
ranked most highly as a continuing threat based on recent disruptions. When we
refer to “extreme” that is, of course, by UK standards and I am sure that our
members based in Canada, Scandinavia and other Northern countries will have a
different opinion. What was particularly interesting was the low threat rating given to cyber-attacks by the respondents to the CMI survey as this threat is given
increasing importance by business continuity practitioners in BCI surveys. This
perhaps highlights the difference between visible and obvious threats that can
be seen by general management and less visible threats which may already have
been dealt with as “business as usual” by specialist practitioners.

Our BCI members on the panel did an excellent job of
reinforcing the business continuity message of “don’t focus on the cause but
look at the impact of an incident”. Martin Caddick of PwC talked about: the
cost of implementing business continuity and whether it could be seen by senior
management as a waste of money if never invoked; the scale of the cost of an
incident which can rise exponentially once the reputation of an organisation is
threatened; and how a robust business continuity programme may bring about a
reduction in Business Interruption Insurance premiums. Rob McAssey of the Adidas Group gave us a lovely case study
of embedding business continuity – firstly in the UK, then throughout Europe
and finally worldwide – the stress being on ensuring the process is enjoyable
by those participating. Finally, Néstor Alfonzo Santamaria, a Contingency
Planning Officer at the City of London spoke of a collaborative approach and
how the 33 Local Authorities within London have worked together to share best
practice to help make London more resilient.

Questions from the floor to the panel, as might be expected,
questioned how business continuity as a specialism fitted within a management
structure and asked whether the discipline shouldn’t just be embedded within
management roles as the norm. The panel agreed that embedding was an aspiration
but as organisations move towards this they should identify key processes
through BIAs, plan how to keep these processes operational during and after an
incident and carry out regular exercises to test these plans using a range of
stimulating scenarios. With his tongue only slightly in his cheek, Néstor
advocated a Zombie Apocalypse scenario urging the audience to “pretend and
enjoy”.

Monday 18th March saw the official launch of the Good Practice Guidelines (GPG) 2013, the independent body of knowledge for good Business Continuity (BC) practice worldwide.

The launch of GPG 2013 signifies a memorable event for BC
professionals all around the world and marks a key milestone for the Business
Continuity Institute (BCI).Its release
has met with great enthusiasm and has been applauded around the globe as a key
tool in achieving organizational resilience.

GPG 2013 is central to the work of the BCI as it underpins BCI Certification
and the BCI Statutory membership application process as well as the validation
of BCI Training.

Furthermore, it provides the BCI with a solid industry benchmark
against which the technical and professional competence of its members can be effectively
measured and examined.So it is key to
the Institute and plays an important role in the daily lives of BC
professionals.

The Good Practice Guidelines 2013 are not a standard or a mandate;
nor are they designed to serve the same purpose as a standard.They don’t just prescribe what you have to
do, but offer more scope and insight by explaining the how, why and when of
good BC practice.

Building on the technical, practical as well as academic
experiences of BC professionals from across the BCI’s global Statutory
membership, they really do reflect current thinking on BC.What makes them even more significant and
formidable is the fact that they can be applied to every type and size of
organization working in any sector in any part of the world.So whether you are working in the Middle
East, the UK or are up a mountain in the beautiful Swiss Alps, the GPG 2013 is
relevant to you.

One of the principal strengths of the Good Practice Guidelines
2013 is that they have not been written in isolation.They have been carefully aligned to various
standards and recognised industry practices across a wide range of BC related
disciplines, including Risk and Crisis Management, to ensure that they are as
comprehensive and current as possible.They
are not the only resource that can be used to develop a Business Continuity
Management (BCM) programme, but they certainly represent one of the key reference
sources and remain a top resource for BC professionals when setting up a BCM
programme.

The Good Practice Guidelines 2013 have been subject to a stringent
quality assurance process to ensure they continue to drive the highest
standards in BC.In fact, they have been
through multiple audits and reviews by a wealth of BC experts to ensure they
are relevant, coherent and above all easy-to-read and easy-to-follow as all
good guidelines should be.

So
what has changed?What makes this GPG
different to the others?

Well
the key word here is simplification.The
core principles remain the same, but the tone, quality and consistency of the
GPG have been improved and the language has been notably simplified making it
far more inclusive.

BCM Lifecycle

The GPG has retained its six Professional Practices (PP1 right
through to PP6); the only difference is that they have “simply” been renamed
and are now referred to as:Policy
and Programme Management; Analysis; Design; Implementation; Validation and
Embedding Business Continuity.Together these six Professional Practices make up the BCM Lifecycle, which
is central to good BC practice and ensures the success of any BCM Programme and
its continued value to the organization.

The GPG 2013 now uses terminology from the international standard
for business continuity, ISO 22301:2012, thus improving its international
appeal and relevance.

Logic, simplicity and a clear structure now characterise the very essence
of the GPG, running through its pages from start to finish.In particular, the BCM Lifecycle has been
subject to an especially positive and eye-catching make-over, which now better
reflects the purpose of the Lifecycle, which is to embed BC in an organization
by working through the other 5 Professional Practices that make up the Lifecycle,
each one taking you closer and closer to your target.For those of you familiar with the previous
Lifecycle, the BCI has simply turned in inside out!

The GPG 2013 also makes a key differentiation between Business
Continuity as a discipline that leads to
organizational resilience and Business Continuity Management as a
process, which is the sum of the activities that make up good BC practice,
which is in itself quite revolutionary and will play a key role in taking this
discipline forward and ensuring its cross-disciplinary adoption by Crisis, Risk
Managers and the like and not just by BC practitioners.

To mark the occasion of the official launch, Lyndon Bird FBCI and
Deborah Higgins MBCI, the editor-in-chief and assistant editor respectively,
delivered an insightful webinar that highlighted the key changes to
the GPG 2013 and talked attendees through the BCM Lifecycle.If you missed the presentation, fear not, you
can catch up here

During the presentation they ran a couple of polls and the results
were interesting with 50% of the attendees confirming that the GPG is one of
the sources they use when putting together a BCM Programme and 74% confirming
that the GPG adds value to their work.Pretty healthy statistics!

At the moment, the Good Practice Guidelines are only available in
English (UK), but there are plans for other editions in line with the
requirements of the global membership of the BCI.

By the end of June, copies will be available in English (USA),
French, Spanish, Chinese, Japanese and Arabic. Additionally, BCI members are working on the
further languages of German, Italian, Portuguese and Korean which will be made
available as soon as they are ready.

BCI Members are entitled to a free download via the BCI Members’
Area; non BCI Members can buy a pdf version here

A hard copy of the GPG 2013 will be available
to buy in May and BCI Member rates will apply.

If you are not yet a member of the BCI, why not think about
joining?Find out more here